How is CVE-2026-46599 exploited?

Network reachability (required): The vulnerable decoder is exposed over the network; an attacker must be able to deliver a crafted TIFF image to a service reachable via the internet or internal network. Authentication (not-required): No credentials or session token are needed; any unauthenticated request that causes the target to decode a TIFF image is sufficient. Victim interaction (not-required): No user action is required beyond the normal operation of a service that accepts or processes TIFF images. Attack complexity (info): Exploitation is reliable and condition-free; crafting a malicious TIFF that triggers unbounded decompression requires no special timing, memory layout knowledge, or environmental factors.

What is the impact of CVE-2026-46599?

Crashes or hangs the process decoding the malicious TIFF image by exhausting available memory. Causes sustained CPU saturation while the decoder processes unbounded PackBits-compressed data, degrading or denying service to legitimate users. Any service pipeline that accepts untrusted TIFF uploads (image conversion, thumbnail generation, document processing) is a viable target.

Back to search

HIGHCVE-2026-46599Published 2026-05-29Modified 2026-06-01CNA Go

CVE-2026-46599: Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 0.41.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Excessive resource consumption in the PackBits decompression path of the golang.org/x/image/tiff package allows a remote, unauthenticated attacker to trigger unbounded memory and CPU usage by sending a crafted TIFF image. The vulnerability is reachable over the network with no authentication required, and successful exploitation causes a denial of service by exhausting the resources of any process that decodes the malicious image. A patched-image rebuild at version 0.41.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream Go and OSV feeds within minutes of publication and matched against all customer images, including custom-built images that vendor or embed golang.org/x/image. Coverage applies to both registry scans and in-pipeline image checks.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and can weight that score further against each customer organization's compliance policy before routing the finding to the appropriate team inbox.

Available

Patch

A patched-image rebuild pinned to golang.org/x/image v0.41.0 becomes available through HarborGuard as soon as the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable decoder is exposed over the network; an attacker must be able to deliver a crafted TIFF image to a service reachable via the internet or internal network.
AuthenticationNot required
No credentials or session token are needed; any unauthenticated request that causes the target to decode a TIFF image is sufficient.
Victim interactionNot required
No user action is required beyond the normal operation of a service that accepts or processes TIFF images.
Attack complexityDetail
Exploitation is reliable and condition-free; crafting a malicious TIFF that triggers unbounded decompression requires no special timing, memory layout knowledge, or environmental factors.

Blast Radius

Crashes or hangs the process decoding the malicious TIFF image by exhausting available memory.
Causes sustained CPU saturation while the decoder processes unbounded PackBits-compressed data, degrading or denying service to legitimate users.
Any service pipeline that accepts untrusted TIFF uploads (image conversion, thumbnail generation, document processing) is a viable target.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-46599 is matched against customer images automatically within minutes of publication. For environments where the affected package is present, a rebuild at golang.org/x/image v0.41.0 is available. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, executes regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the customer's triage queue with CVSS scoring and policy weighting applied so the owning team can act manually. As an interim compensating control, network-policy rules that restrict which services are permitted to accept untrusted TIFF input can reduce exposure until the upgraded image is deployed.

See how HarborGuard automates this

Fix available

0.41.0

Affected packages

golang.org/x/image / golang.org/x/image/tiff
< 0.41.0 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available